The use of virtual environments continues to increase in the information technology marketplace. In a virtual environment, a host hardware platform can implement multiple virtual machines through the use of hypervisor software running on the host platform. Each virtual machine imitates some or all of the hardware functionality of a separate physical machine. In this way, a host platform implementing multiple virtual machines over shared hardware can provide many advantages, including increased hardware utilization, reduced capital costs, and the ability of a single host platform to independently support different types of operating systems.
The density of virtual machines sharing the same virtual environment can pose problems in securing the virtual environment from network threats. To ensure the security of the virtual machines in a virtual environment, administrators may wish to enforce packet-level security policies on network packets transmitted to or from virtual machines in the virtual environment. One approach to enforcing such policies has been to incorporate a separate virtual appliance into the virtual environment, implemented at the hypervisor level, which inspects network traffic to and from the virtual machines and enforces security policies with respect to the network traffic. However, if a desired level of network security utilizes a significant amount of processing resources, such as in the case of Deep Packet Inspection (DPI) policies, this approach may pose a substantial performance burden on the host platform, thereby reducing the number of virtual machines that may be implemented by the host platform.
Throughout the drawings, identical reference numbers designate similar, but not necessarily identical, elements.